update-ca-certificates calls `openssl rehash` (sbin/update-ca-certificates,
line 192), but LibreSSL does not implement the `rehash` subcommand — it
provides `certhash` instead.
Because the script runs under `#!/bin/sh -e`, the failing `openssl rehash`
causes the script to exit immediately, before the CA bundle file
(ca-certificates.crt) is written. This leaves /etc/ssl/certs in a broken
state: certificate symlinks may have been updated, but the bundle that many
applications depend on is never generated.
The attached patch detects LibreSSL at startup via `openssl version` output
and stores the appropriate subcommand in a shell variable ($REHASH_CMD).
The POSIX `case` construct is used to avoid introducing bashisms, since the
script uses `#!/bin/sh`.
The patch applies cleanly against current ca-certificates master
(ba3830faf6, "Upload to unstable").
Upstream LibreSSL issue:
https://github.com/libressl/portable/issues/1136